I setup ssl with cert-manager on digitalocean kubernetes. The certs were being issue until I decided to add two subdomains to my ingress rules the already existing ones are about 4.
When I apply the ingress rules, it returns an error saying that the following error
E1208 13:37:06.384727 1 sync.go:184] cert-manager/controller/challenges “msg”=“propagation check failed” “error”=“DNS record for "subdomain.example.io" not yet propagated” “dnsName”=“subdomain.example.io” “resource_kind”=“Challenge” “resource_name”=“example-letsencrypt-certificate-4047343803-758986247-1121119393” “resource_namespace”=“production” “type”=“dns-01”
- I can access the services via the domain names although ssl is not enabled.
- When I remove the two new subdomains, the certs are issued for the previously existing subdomains in the ingress rules
- I accessed the digitalocean droplet via ssh and ran nslookup for the domains and one of them returns the correct dns information while the other returns the error server can’t find api.subdomain.example.io: NXDOMAIN
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello,
This issue seems to be related to DNS propagation. DNS changes, such as adding subdomains, can take up to 48 hours to propagate worldwide, although most places will see the changes within a few hours.
Here are a few steps to troubleshoot the issue:
-
Check DNS Settings: Verify that the DNS records for the new subdomains have been correctly set up in your DNS configuration on DigitalOcean. You should have A records pointing to the IP address of your Kubernetes ingress controller.
-
Wait for DNS Propagation: DNS propagation can take up to 48 hours, but it usually happens much faster. You can use an online DNS lookup tool to check the status of the DNS propagation. Just search for “DNS propagation check” in your favorite search engine.
-
Manually Check DNS Resolution: You can manually check the DNS resolution from your own computer and from the Kubernetes nodes. You can use the
nslookupcommand as you already did, ordigcommand likedig subdomain.example.io. -
Review Cert-manager logs: You can review the cert-manager logs for more information. Use the following command to check the logs:
kubectl logs -n cert-manager <cert-manager-pod-name>. Replace<cert-manager-pod-name>with the name of your Cert-manager pod. -
Force Re-check: If you’re confident that your DNS is set up correctly and has propagated, you can delete the
CertificateandOrderresources for the failing certificate. Cert-manager will then recreate them and re-check the DNS challenge.
When you add new subdomains to your ingress, Cert-manager needs to issue new certificates. For the DNS-01 challenge, this means creating new DNS records that Let’s Encrypt will check. If there’s any issue with these records (for example, if they’re not propagated yet, or if there’s a mistake in the records), Let’s Encrypt won’t be able to issue the certificates.
Best,
Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.